Total
10721 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-48601 | 1 Google | 1 Android | 2025-12-08 | N/A | 5.5 MEDIUM |
| In multiple locations, there is a possible permanent denial of service due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-48612 | 1 Google | 1 Android | 2025-12-08 | N/A | 7.8 HIGH |
| In multiple locations, there is a possible way for an application on a work profile to set the main user's default NFC payment setting due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-62507 | 1 Redis | 1 Redis | 2025-12-08 | N/A | 8.8 HIGH |
| Redis is an open source, in-memory database that persists on disk. In versions 8.2.0 and above, a user can run the XACKDEL command with multiple ID's and trigger a stack buffer overflow, which may potentially lead to remote code execution. This issue is fixed in version 8.2.3. To workaround this issue without patching the redis-server executable is to prevent users from executing XACKDEL operation. This can be done using ACL to restrict XACKDEL command. | |||||
| CVE-2025-59595 | 1 Absolute | 1 Secure Access | 2025-12-08 | N/A | 7.5 HIGH |
| CVE-2025-59595 is an internally discovered denial of service vulnerability in versions of Secure Access prior to 14.12. An attacker can send a specially crafted packet to a server in a non-default configuration and cause the server to crash. | |||||
| CVE-2025-63785 | 1 Onlook | 1 Onlook | 2025-12-08 | N/A | 6.1 MEDIUM |
| A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanitized before being directly injected into the DOM via innerHTML when editing a text element. An attacker can exploit this to inject malicious HTML and script code, which is then executed within the context of the preview iframe, allowing for the execution of arbitrary scripts in the user's session. | |||||
| CVE-2025-12944 | 1 Netgear | 2 Dgn2200, Dgn2200 Firmware | 2025-12-08 | N/A | 8.8 HIGH |
| Improper input validation in NETGEAR DGN2200v4 (N300 Wireless ADSL2+ Modem Router) allows attackers with direct network access to the device to potentially execute code on the device. Please check the firmware version and update to the latest. Fixed in: DGN2200v4 firmware 1.0.0.132 or later | |||||
| CVE-2025-12942 | 1 Netgear | 4 R6260, R6260 Firmware, R6850 and 1 more | 2025-12-08 | N/A | 7.5 HIGH |
| Improper Input Validation vulnerability in NETGEAR R6260 and NETGEAR R6850 allows unauthenticated attackers connected to LAN with ability to perform MiTM attacks and control over DNS Server to perform command execution.This issue affects R6260: through 1.1.0.86; R6850: through 1.1.0.86. | |||||
| CVE-2025-26858 | 1 Socomec | 2 Diris M-70, Diris M-70 Firmware | 2025-12-05 | N/A | 8.6 HIGH |
| A buffer overflow vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted set of network packets can lead to denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability. | |||||
| CVE-2025-20389 | 1 Splunk | 3 Splunk, Splunk Cloud Platform, Splunk Secure Gateway | 2025-12-05 | N/A | 4.3 MEDIUM |
| In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS). | |||||
| CVE-2021-39261 | 2 Debian, Tuxera | 2 Debian Linux, Ntfs-3g | 2025-12-05 | 6.9 MEDIUM | 7.8 HIGH |
| A crafted NTFS image can cause a heap-based buffer overflow in ntfs_compressed_pwrite in NTFS-3G < 2021.8.22. | |||||
| CVE-2025-5114 | 1 Easycorp | 1 Zentao | 2025-12-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in easysoft zentaopms 21.5_20250307 and classified as critical. This vulnerability affects the function Edit of the file /index.php?m=editor&f=edit&filePath=cGhhcjovLy9ldGMvcGFzc3dk&action=edit of the component Committer. The manipulation of the argument filePath leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2014-3480 | 5 Debian, File Project, Opensuse and 2 more | 5 Debian Linux, File, Opensuse and 2 more | 2025-12-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. | |||||
| CVE-2014-0207 | 5 Christos Zoulas, Debian, Opensuse and 2 more | 5 File, Debian Linux, Opensuse and 2 more | 2025-12-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file. | |||||
| CVE-2025-53939 | 1 Accellion | 1 Kiteworks | 2025-12-04 | N/A | 6.3 MEDIUM |
| Kiteworks is a private data network (PDN). Prior to version 9.1.0, improper input validation when managing roles of a shared folder could lead to unexpectedly elevate another user's permissions on the share. This issue has been patched in version 9.1.0. | |||||
| CVE-2016-4425 | 1 Jansson Project | 1 Jansson | 2025-12-04 | 5.0 MEDIUM | 6.5 MEDIUM |
| Jansson 2.7 and earlier allows context-dependent attackers to cause a denial of service (deep recursion, stack consumption, and crash) via crafted JSON data. | |||||
| CVE-2025-62164 | 1 Vllm | 1 Vllm | 2025-12-04 | N/A | 8.8 HIGH |
| vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exists in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation. Due to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM. This issue has been patched in version 0.11.1. | |||||
| CVE-2025-65946 | 1 Roocode | 1 Roo Code | 2025-12-04 | N/A | 8.1 HIGH |
| Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7. | |||||
| CVE-2025-12889 | 1 Wolfssl | 1 Wolfssl | 2025-12-04 | N/A | 5.4 MEDIUM |
| With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest. | |||||
| CVE-2017-9022 | 3 Canonical, Debian, Strongswan | 3 Ubuntu Linux, Debian Linux, Strongswan | 2025-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| The gmp plugin in strongSwan before 5.5.3 does not properly validate RSA public keys before calling mpz_powm_sec, which allows remote peers to cause a denial of service (floating point exception and process crash) via a crafted certificate. | |||||
| CVE-2025-66201 | 1 Librechat | 1 Librechat | 2025-12-03 | N/A | 8.1 HIGH |
| LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.1-rc2, LibreChat is vulnerable to Server-side Request Forgery (SSRF), by passing specially crafted OpenAPI specs to its "Actions" feature and making the LLM use those actions. It could be used by an authenticated user with access to this feature to access URLs only accessible to the LibreChat server (such as cloud metadata services, through which impersonation of the server might be possible). This issue has been patched in version 0.8.1-rc2. | |||||